Bug 895601: Add tests to cert verification in psm. r=keeler.
authorCamilo Viecco <cviecco@mozilla.com>
Tue, 30 Jul 2013 11:18:40 -0700
changeset 151906 329c833e46173a81b063bf7e3cbe97af541134d4
parent 151905 b7c32ea628e2baf668ba863fbee02ca606ce9af1
child 151907 0b2a0462fba7f0e55994f6ffcfced411cc01c9c7
push id25512
push usercbook@mozilla.com
push dateThu, 24 Oct 2013 05:06:01 +0000
treeherdermozilla-central@19fd3388c372 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs895601
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 895601: Add tests to cert verification in psm. r=keeler.
security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
security/manager/ssl/tests/unit/psm_common_py/__init__.py
security/manager/ssl/tests/unit/test_cert_signatures.js
security/manager/ssl/tests/unit/test_cert_signatures/ca-dsa.der
security/manager/ssl/tests/unit/test_cert_signatures/ca-p384.der
security/manager/ssl/tests/unit/test_cert_signatures/ca-rsa.der
security/manager/ssl/tests/unit/test_cert_signatures/dsa-tampered-int-valid-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/dsa-valid-int-tampered-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/dsa-valid.der
security/manager/ssl/tests/unit/test_cert_signatures/generate.py
security/manager/ssl/tests/unit/test_cert_signatures/int-dsa-tampered.der
security/manager/ssl/tests/unit/test_cert_signatures/int-dsa-valid.der
security/manager/ssl/tests/unit/test_cert_signatures/int-p384-tampered.der
security/manager/ssl/tests/unit/test_cert_signatures/int-p384-valid.der
security/manager/ssl/tests/unit/test_cert_signatures/int-rsa-tampered.der
security/manager/ssl/tests/unit/test_cert_signatures/int-rsa-valid.der
security/manager/ssl/tests/unit/test_cert_signatures/p384-tampered-int-valid-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/p384-valid-int-tampered-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/p384-valid.der
security/manager/ssl/tests/unit/test_cert_signatures/rsa-tampered-int-valid-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/rsa-valid-int-tampered-ee.der
security/manager/ssl/tests/unit/test_cert_signatures/rsa-valid.der
security/manager/ssl/tests/unit/xpcshell.ini
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
@@ -0,0 +1,139 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This file requires openssl 1.0.0 at least
+
+import os
+import random
+
+def init_dsa(db_dir):
+    """
+    Initialize dsa parameters
+
+    Sets up a set of params to be reused for DSA key generation
+
+    Arguments:
+      db_dir     -- location of the temporary params for the certificate
+    """
+    dsa_key_params = db_dir + "/dsa_param.pem"
+    os.system ("openssl dsaparam -out "+ dsa_key_params + " 2048")
+
+
+def generate_cert_generic(db_dir, dest_dir, serial_num,  key_type, name,
+                          ext_text, signer_key_filename = "",
+                          signer_cert_filename = ""):
+    """
+    Generate an x509 certificate with a sha256 signature
+
+    Preconditions:
+      if dsa keys are to be generated init_dsa must have been called before.
+
+
+    Arguments:
+      db_dir     -- location of the temporary params for the certificate
+      dest_dir   -- location of the x509 cert
+      serial_num -- serial number for the cert (must be unique for each signer
+                    key)
+      key_type   -- the type of key generated: potential values: 'rsa', 'dsa',
+                    or any of the curves found by 'openssl ecparam -list_curves'
+      name       -- the common name for the cert, will match the prefix of the
+                    output cert
+      ext_text   -- the text for the x509 extensions to be added to the
+                    certificate
+      signer_key_filename -- the filename of the key from which the cert will
+                    be signed if null the cert will be self signed (think CA
+                    roots).
+      signer_cert_filename -- the certificate that will sign the certificate
+                    (used to extract signer info) it must be in DER format.
+
+    output:
+      key_name   -- the filename of the key file (PEM format)
+      cert_name  -- the filename of the output certificate (DER format)
+    """
+    key_name = db_dir + "/"+ name + ".key"
+    if key_type == 'rsa':
+      os.system ("openssl genpkey -algorithm RSA -out " + key_name +
+                 " -pkeyopt rsa_keygen_bits:2048")
+    elif key_type == 'dsa':
+      dsa_key_params = db_dir + "/dsa_param.pem"
+      os.system("openssl gendsa -out " + key_name + "  " + dsa_key_params)
+    else:
+      #assume is ec
+      os.system("openssl ecparam -out " + key_name + " -name "+ key_type +
+                " -genkey");
+    csr_name =  db_dir + "/"+ name + ".csr"
+    os.system ("openssl req -new -key " + key_name + " -days 3650" +
+               " -extensions v3_ca -batch -out " + csr_name +
+               " -utf8 -subj '/CN=" + name + "'")
+
+    extensions_filename = db_dir + "/openssl-exts"
+    f = open(extensions_filename,'w')
+    f.write(ext_text)
+    f.close()
+
+    cert_name =  dest_dir + "/"+ name + ".der"
+    if not signer_key_filename:
+        signer_key_filename = key_name;
+        os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
+                   " -signkey " + signer_key_filename +
+                   " -set_serial " + str(serial_num) +
+                   " -extfile " + extensions_filename +
+                   " -outform DER -out "+ cert_name)
+    else:
+        os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
+                   " -CAkey " + signer_key_filename +
+                   " -CA " + signer_cert_filename + " -CAform DER " +
+                   " -set_serial " + str(serial_num) + " -out " + cert_name +
+                   " -outform DER  -extfile " + extensions_filename)
+    return key_name, cert_name
+
+
+
+def generate_int_and_ee(db_dir, dest_dir, ca_key, ca_cert, name, int_ext_text,
+                        ee_ext_text, key_type = 'rsa'):
+    """
+    Generate an intermediate and ee signed by the generated intermediate. The
+    name of the intermediate files will be the name '.der' or '.key'. The name
+    of the end entity files with be "ee-"+ name plus the appropiate prefixes.
+    The serial number will be generated radomly so it is potentially possible
+    to have problem (but very unlikely).
+
+    Arguments:
+      db_dir     -- location of the temporary params for the certificate
+      dest_dir   -- location of the x509 cert
+      ca_key     -- The filename of the key that will be used to sign the
+                    intermediate (PEM FORMAT)
+      ca_cert    -- The filename of the cert that will be used to sign the
+                    intermediate, it MUST be the private key for the ca_key.
+                    The file must be in DER format.
+      name       -- the common name for the intermediate, will match the prefix
+                    of the output intermediate. The ee will have the name
+                    prefixed with "ee-"
+      int_ext_text  -- the text for the x509 extensions to be added to the
+                    intermediate certificate
+      ee_ext_text  -- the text for the x509 extensions to be added to the
+                    end entity certificate
+      key_type   -- the type of key generated: potential values: 'rsa', 'dsa',
+                    or any of the curves found by 'openssl ecparam -list_curves'
+
+    output:
+      int_key   -- the filename of the intermeidate key file (PEM format)
+      int_cert  -- the filename of the intermediate certificate (DER format)
+      ee_key    -- the filename of the end entity key file (PEM format)
+      ee_cert   -- the filename of the end entity certficate (DER format)
+
+    """
+    [int_key, int_cert] = generate_cert_generic(db_dir, dest_dir,
+                                                random.randint(100,40000000),
+                                                key_type, "int-" + name,
+                                                int_ext_text,
+                                                ca_key, ca_cert)
+    [ee_key, ee_cert] = generate_cert_generic(db_dir, dest_dir,
+                                              random.randint(100,40000000),
+                                              key_type,  name,
+                                              ee_ext_text, int_key, int_cert)
+
+    return int_key, int_cert, ee_key, ee_cert
+
+
new file mode 100644
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures.js
@@ -0,0 +1,89 @@
+// -*- Mode: javascript; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+"use strict";
+/*
+ * The purpose of this test is to verify that we correctly detect bad
+ * signatures on tampered certificates. Eventually, we should also be
+ * verifying that the error we return is the correct error.
+ *
+ * To regenerate the certificates for this test:
+ *
+ *      cd security/manager/ssl/tests/unit/test_cert_signatures
+ *       ./generate.py
+ *      cd ../../../../../..
+ *      make -C $OBJDIR/security/manager/ssl/tests
+ *
+ * Check in the generated files. These steps are not done as part of the build
+ * because we do not want to add a build-time dependency on the OpenSSL or NSS
+ * tools or libraries built for the host platform.
+ */
+
+do_get_profile(); // must be called before getting nsIX509CertDB
+const certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
+
+const ca_usage = 'SSL CA';
+const int_usage = 'Client,Server,Sign,Encrypt,SSL CA,Status Responder';
+const ee_usage = 'Client,Server,Sign,Encrypt';
+
+const cert2usage = {
+  // certs without the "int" prefix are end entity certs.
+  'int-rsa-valid': int_usage,
+  'rsa-valid': ee_usage,
+  'int-p384-valid': int_usage,
+  'p384-valid': ee_usage,
+  'int-dsa-valid': int_usage,
+  'dsa-valid': ee_usage,
+
+  'rsa-valid-int-tampered-ee': "",
+  'p384-valid-int-tampered-ee': "",
+  'dsa-valid-int-tampered-ee': "",
+
+  'int-rsa-tampered': "",
+  'rsa-tampered-int-valid-ee': "",
+  'int-p384-tampered': "",
+  'p384-tampered-int-valid-ee': "",
+  'int-dsa-tampered': "",
+  'dsa-tampered-int-valid-ee': "",
+
+};
+
+function load_ca(ca_name) {
+  let ca_filename = ca_name + ".der";
+  addCertFromFile(certdb, "test_cert_signatures/" + ca_filename, 'CTu,CTu,CTu');
+
+  do_print("ca_name=" + ca_name);
+  let cert = certdb.findCertByNickname(null, ca_name);
+
+  let verified = {};
+  let usages = {};
+  cert.getUsagesString(true, verified, usages);
+  do_check_eq(ca_usage, usages.value);
+}
+
+function run_test() {
+  // Load the ca into mem
+  load_ca("ca-rsa");
+  load_ca("ca-p384");
+  load_ca("ca-dsa");
+
+  // Load certs first
+  for (let cert_name in cert2usage) {
+    let cert_filename = cert_name + ".der";
+    addCertFromFile(certdb, "test_cert_signatures/" + cert_filename, ',,');
+  }
+
+  // Now do the checks
+  for (let cert_name in cert2usage) {
+    do_print("cert_name=" + cert_name);
+
+    let cert = certdb.findCertByNickname(null, cert_name);
+
+    let verified = {};
+    let usages = {};
+    cert.getUsagesString(true, verified, usages);
+    do_check_eq(cert2usage[cert_name], usages.value);
+  }
+}
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..619b3e10de73e776d0a272508d318eae439155f9
GIT binary patch
literal 1067
zc$@(%1l0R5f&?cpf&<N<0|Eg80s|I{8!!t731Egu0c8UO0|GD+F%K{e1_M<D0}KXZ
zVJ&2HVK5#S4KXt@FfuYRI503VHd+@AGBYtSGB7bXFfcJTS}+kY4=@b|162eA3<hIi
zEo5_HFoFX|FoFU)1_vsJNX|F}0Wg9BEdqi80RXCux=1s>_YX5dBL87`8l5b+Ae*03
zeyc`JGqDXlkO7Yje4RpgJD`+mHs;C9O4A^s9sQCh+2H^fIsG?SFEI*Ak5|x~A!tk3
zyEe2xwQ4a1gWmPYm`0B^fc$y$JnFBl_``UCcOHsJwaz8Y)GE=n5KEH=RG&$QCxgrp
z+1=PPqL}FkN@RhXKV7*$E+%Ib1AWFB4rIYcOX*j;5FeV^XXX#E9W>v?nlNgE+bR4x
zuZ?~~;KOZfW=e+nvT((TcLcV>FQh%uU8v)mVjG^1<e%oXQNbQLTgJSgC9SE52F56d
zHF8%D?N*{~l;w<Ya%}a>nqEn8sR2nOdNTqc0L6S{Om?RV9MY&iMDRs2C%of(fFi9~
zowgV-kSP^L0|J5p0RV*F!wW$O$;ek-7IVvW2ZNRr&qSH55BGm{?ezsC81Pl8KRZb_
z-687n?%CEhBC5fXydzSqqxGWhL?W}7zO`_~e1A$ikwy{OZ0SG*Kq2HjZ{T*KLi{?0
ze8h4-*V*9AT_fIGBKm8`QT!qc=Wv0Wr6o}mDU7XCS75fgpYx}mk==*g_7}(f8BdxP
znhqc}!}mM;Vz4iR!}Qrl&`4U%)iIY|J5#nq#VfKCTLM7%q3*#wF+S*1#fCO6?A=kV
zlYb4X_Uq#1>=N!?(L;uFt2aKQFXoY8TC(s#vW~1n7de8?fU|WkEzWsAI=NqqPe3B`
z6Cj|NI=S;-y=Mc00R;d8f&l;l7u5AS*3*XNvGzCZ(rq7^;31J<b#p7`!m_-ny$BfF
z7kT!z-#{aOC@?p_%}-j*X*`bFOdTN$w(#0eh-OP+!7=p&Lyln^wV4g_y$#H_?b)@i
zgmGe63swit38edS`JsBWdtId};70`UKM1J=MEk;;9I_1%epJOHPN}yyikcj+0Hj(5
z7eFIn!K8tZi>Yt_#-o|5vD*t6RPsgGZw1SDn7_R>5Yd_~^Y_s0Sxvk9m-%qV3M0VJ
zrdHyb>mRC_huLUD@^dI%zp$(NvoA@D?7#U?$Xl>l9l8DSi~*!2fX@9EdSjyl6T1lp
zLf>oKTi7GiKTxdxC{RYDBQPN_4+aBO9TNco{{#gv0|5d5Fb)O-RUHoj0sjO90|EjB
zFbf6=V1`HmWdj5Q0s}_?Fhl|%N0v*{&JVmfBfG!CcQBOhBI_LI=kmacbJkDob(U6D
l0w8>}<*p1|Uow<jM9yB$rY1WbnD=J3eS3RbOHJjJXVPl|(6Rsk
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..76f6ca35b87b5d1cee764f540689bf2d09276b45
GIT binary patch
literal 375
zc$_n6Vk|aj{JnsgiIItknQ7}`11>fWtu~Kywk*s{2114c27GMHp)AZi?8%9`1;!R8
z26E!OhQ@{lMn;Af1_p+vQR2KtAg%$Fi&amVfdCsj*i<G)HdgIM76v8eBnFn9mmlrC
z5p+Fg^ClCUoW6Z)&$oP-@p=Bu9eZzQY%W`AxV3Kcq8aJ70mZ52`vqEW#a6|&TgbY;
z;GVH##pHLJntuwE_)Ox~co6V++TV}Q+@8p9zT}&lvV6+<*0koU8QDJnt}RwJP&D8N
zx<yu)k?}tZs{u2R0y|EYA0z<uA`=U;hndqE3{sd33PSEZ`N#7jPax`a*w#xOR*&?`
zKgCUF{dw?7q~1coOLMNOg*$G&v&ABQLhT}RKh}08gDT(54?FE<Us|ZFyqW1lRCY_P
kvgcFw%g>ILothBUCX;za)lTn((YI2LoqPVb<?Xlw07!m`EdT%j
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..88b9a764092133ef9e2b89794c40d2e502fae1d8
GIT binary patch
literal 710
zc$_n6Vmf5d#JFk!GZP~d6SMk3P6J*xPOUbNw(q=*jNGgY27-qCKq2N(7G@r{<V4+~
z;zR>Eab81XLjxltLkj}~L$fGxULz3K0LsOtrHN4q*<eOi2IeM4eg>d87gG}>Bg3)j
zVowgoY5cnpA<<>|-XlJ7>IV5sS59p>>>KW8^Uv*heA3;Dgq7>&&x>()mcF92YGJ^=
zwBXOB3%~vLy22p0w^4Am|M#ey);D?^i&pAMeN@wPyTcj2Fe&b;q+Q;vv+Xly3$E_p
z&K%0zIyFzff5HX5$2JAAM<2fA<+nR_w5%!4apvaT`<o-<3lGE}-uQR_=UMX|W<Ba;
z?EIO}`RmBbT?scg`>X5xEjckQ;4^dQ>mSFa>Yi+Ssjx=rf%6=NL)$+e3p`tNbsD#8
zmb`fCszwVvpJykRBxl^nYJGb9^&-9$`7Iw7S{N_dWSn#A=QBpdNV#*r5+v^2D-N4E
zabH#W1O4N=ubG$`85kEU8z>s^0|QQ0n33^63#$P$kTT!{3GjmiSeTiZSkU5!85DYx
z-zhrw-Ou5@ome()@~bP}u3~Q=Z$0v;c;+vq+qSWv?`#Q}7V};zwaMz)lBj0;UPFeL
z<q<8sleVe&EdBVr@7NV3_1mHq6QeHvy4&Pt_lSLGV*0&l2da)FdbzQrnmdbqns!$A
zT;K#-)%2OQBK4goo+bat|8qCG{!rQUqib$T>+ak3a?O<^d-uvK8OE$ih`VI7OV~62
zkz3-OkgDrWS~7uiubq`=&fV|(Hufyv(i5|b`HuP6PBV&TYrFG=y??*Q;*TwC|L2-`
z9o;zj&FiT<Yz(G^#ePq!y-~bp>e54Mn{qSc{CBXGvZ)3>nQ-x@a*1$l=UdM`VnU4;
O`)dlTgnyeZIS&9ll`JIy
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5d0350db3c9a6c7b33486cd63f504dd46e846980
GIT binary patch
literal 1088
zc$@)11i$+*f&@G;f&<~80|Eg80s|lB#V`v731Egu0c8UO0|GD`F&Quy1_M<D0}K#p
zZgeeVb73uXVQp|_a%E&N9v2NUGchnSGBG$XFfle-7Y#BqF)%VPF*q<VF*aH-Brzf|
zAO-_f1Op5iWOHFHbYX39WpZU?Eop9aEp}mSX=E*BWiWyRM=*i{ItB+ShDgph1OYID
z0xbf90RaH2jJilOzxNL_LL&cRcN(26w;-FJQhuvOO*63#J&*y941AqJcsrn!YBuJ{
z%u3TBq8<H`DB0lv7&-knST8XON{?62oFQmS*t<5gKecKx1%ux8$(TluHGuqi^E~RW
zt@y)ufp;E?NVU!-&D1K<wGc~_22`I(hbM!~5!v0?GoqO32})#vn?GH-KQ1O`6a#(6
z84hH@M@#8fyAU6m*=ObtupKnt#hNf`gWD<mIj@a=L*T=0Y-UP^`Lb}uiFX9H!!M*g
z(OszHn_?TDkK~``wNb$yIa|iOpe3!Thz7<ehc$9n4((Q=ZItDVaB^(*%bH$EaH#=F
zBziLfAppgEWK4Fa3LMg?KSc0FGAF#_dw?RXS)H~RFpwz~MgszZ0RaGn-opz)2+7D-
zT^4i8bq9l%6wgGNtPl5pb?x;9BN*^isXseOHr*lW@$T8yHX^FQlDs2QtfTd!?nEN9
zm%g=d#C(5BJCQ~a*=*@R1VAC=Ja6E3qC)&ShJ3_wKG)gc%v~eiTO#^v$5H$u3+Hfw
zo24aD6e*0YQ&(WNyPxx?pOM{%-S!v9{TWZ17MczqHN*Ei`(m&!gTwUMN6<)G&DAlN
zUOQ8^M8zwz6I%j6_@VB>JuyD$Q^kfhF6`Y=t&@KZtM=>S<?IsfUeQB_bE`K#qc7%>
zU|O>9L9&jlLl-%M&VaLZFD=e_KRUTzi%&oz^AjMTm^!)hU%h7of&m2p0)hbmVjTTT
zoniV*JlMq8KpoynX}fmH9@l@Y)_4FZEgp=vx`SGwJ(a)on`M2Z$>06%R_GgaSq<fn
zNB~^RX)}-@(K<suCn1!Y!KXWU+tQ?d#2!Yo$Y#6&HGG|wW%{>`MCjL&!Ga2aL~wl*
zp;1N~gHHFFDX{QLNe=gi_oW?;;T^kTx&>YPlEIb#j1ge*Z;d7@6Z0HiHDA>;89YiT
z6&r*q@(KC?PIR|xY(AC6s6kk#m5<K{D)gW^x;QbF0$KO2!P1VX85ySG%S{Oc8r$%|
z@OFC9v<yLpvF;_u{3%TV_NMU7bw<hi?vMwv7WW(;KBWbr0+1&)Gi0mmqZ%+6FbM_&
zRUH!q0x$qD3kCyK9S;Nq0|Ej5Fbf6=V1`HmWdj5Q0s}|@Fhv3(0H>mK4L&%LQ<))^
zgvNNweqWK?j&I)J=ETm|`8L+H00JN)rHJZ!k{l1~-`E9-jAS1QD-9)=<xGdgr4M;9
GZlY|KOw`T*
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..dd760270c29c858ac5471aa1fc8650aef429dcbf
GIT binary patch
literal 1085
zc$@(}1j73;f&@7*f&<>50|Eg80s{mhGB67U31Egu0c8UO0|GD@F%~cs1_M<D0}Ksm
zZgeeVb73uZVQgt+Fdi2TF*7kRGBPnZFfcJTS{Ds6GchnSFflkVFfle-FeEV|Fdzm4
zRRjYJ8Dw)|Ep}mSX=E*FZgeelVQp|_a%E&KWo0me14l4|0y+i<DuzhTI0OMOf&wi9
zf&l>ls*JiwGr#u_GeRQ&VRssxEVm$=pHhCSMolxZ4Ly(nj|_aBLU=o%lxjBS$;?XA
zAfg@pk|^2X02n#_H&`z*3QCVx(3~M?OW3<Mv_G|KF$II(^~sn<k2Qe&dGkE#udVpQ
zc!75wib%E2CC$_-(X|julLl0uNrxwc%n{k$*fXM-=?O|?ftx>Fxj!x@XA}c{#u*M|
z!ADE!SGy1&n%QUO53n6H-^H3RYJ=M;{5h|Uena5HZER*rhWWB^#ff(Ww!<%^J<(mL
z<C|g|o{!|8=Cx759ywdayr3nmsfY%~D2Fw2R}Sq~qHUDrjBs*n^~;)GNpPtFNhEqR
z0wDm!d}K^^rwSa>s6RyTMKUM6<9mQ2ty!J67%-426-EOBf&l>lgx<poK?upnS6vo!
z%XJ5XmK4uKnXC`@e|7Ek1tS>nRjEHaNjBXf>hbQ`);1!l!IHcqQmmu(qV7Z@vzNZL
zaKwCnN;{E85!r0%Km<S`<UDWScA`T3I);42az5AD;LKek-diI2YsXRiA`9nmft#fz
zQ4}eRty5QEw!5G6r=OAChu!uU$Nd>kniiT4AT`7HJNsg=FN4GM*+<YwTFuolmtH$l
zwnW7%vJ+bZK=`5V!96iP=u^dpHZJVlQLU4I4XgI+;^piT?q1PDhI6YoKBF(@kziV~
z@IkVUtV0($g3f@mbuTT>c|SV2UyDybBJ&d<pqM(j^IyGZ1A+ks00M#m0BZU|l&m-c
zISK)Ro{oaBFdzCS*8>iF$tpqDFK@-lFwz+=eHq<~qbn!m<szaXKq$tchm<NcZ){r2
z-l{?y4eVCe1{6e#_kG$A%T<8=#R)lnk5K|Qg9X4lY-P=c{U7ivG;N>3VI&z&e8IQ&
zaE#k|H$H|CB5>t*b4L<Tf3wKGf|$s5ejCr6gDCJP1)5c{_JY-@p0DA-ffwly!@6HH
zKhc0b$_*K^`v(BeCYgye4fT)27-aDp2Cv(KokzanX)m7FP9J<Uo2M4suC|U#;`PdN
zQcqG0pgM{V0VN^`^#&h>CXjW<WThqSyrnp`UM)GcWywZdr>MLM@}n9s7%&M2163Up
z1OhMsFbf6)RUHom1OoyA{xAy$31Egu0c8UO0|Em`05C-YAZ--$?99j4l;6+}Rf$H+
zww)_E_F*MtNoFL*WwH6BI|3m9o7&huxerL@O!h$_v7RJmK6G<MXN_6&bsFv<K*jN*
Dc_+-T
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..4dfc561a500e7e5f07cef400d9091b9baaa00a77
GIT binary patch
literal 1069
zc$@((1k(F3f&?irf&<Q=0|Eg80s{{YyD$p|31Egu0c8UO0|GD@F%~cs1_M<D0}Ksm
zZgeeVb73uZVQgt+Fdi2TF*7kRGBPnZFfcJTS{Ds6GchnSFflkVFfle-FcdKoFc1a<
zRRjYJ31o9&Ep}mSX=E^h14l4|0y+i<DuzhTI0OMOf&wi9f&l>ls*JiwGr#u_GeRQ&
zVRssxEVm$=pHhCSMolxZ4Ly(nj|_aBLU=o%lxjBS$;?XAAfg@pk|^2X02n#_H&`z*
z3QCVx(3~M?OW3<Mv_G|KF$II(^~sn<k2Qe&dGkE#udVpQc!75wib%E2CC$_-(X|ju
zlLl0uNrxwc%n{k$*fXM-=?O|?ftx>Fxj!x@XA}c{#u*M|!ADE!SGy1&n%QUO53n6H
z-^H3RYJ=M;{5h|Uena5HZER*rhWWB^#ff(Ww!<%^J<(mL<C|g|o{!|8=Cx759ywda
zyr3nmsfY%~D2Fw2R}Sq~qHUDrjBs*n^~;)GNpPtFNhEqR0wDm!d}K^^rwSa>s6RyT
zMKUM6<9mQ2ty!J67%-426-EOBf&l>lgx<poK?upnS6vo!%XJ5XmK4uKnXC`@e|7Ek
z1tS>nRjEHaNjBXf>hbQ`);1!l!IHcqQmmu(qV7Z@vzNZLaKwCnN;{E85!r0%Km<S`
z<UDWScA`T3I);42az5AD;LKek-diI2YsXRiA`9nmft#fzQ4}eRty5QEw!5G6r=OAC
zhu!uU$Nd>kniiT4AT`7HJNsg=FN4GM*+<YwTFuolmtH$lwnW7%vJ+bZK=`5V!96iP
z=u^dpHZJVlQLU4I4XgI+;^piT?q1PDhI6YoKBF(@kziV~@IkVUtV0($g3f@mbuTT>
zc|SV2UyDybBJ&d<pqM(j^IyGZ1A+ks00M#m0CzFrk}@76ryNwz#$5*;`1X8*j$I%6
z1c)`Zc|LlcH#XpsxHB!wgr7wV>UPNG$^pLp#tUPwi`zONj6~lLBUM%x%4kP=7DkpI
zM2&hPmQ~poqmT)Ff3upHw!h2I=VnUVM1;V#yhZX!S~CV7q+S>?%%B4i^Z2#FeieuK
z#ZrVL>@pjv`Iqu%uYE=tS8t`(#y5nE0|4elOl4XmMdT9#GA$5nyHq^uSNS`IZU*Wd
z5e4mK|6@KfQ&S_^LG+!AtuqDP0_C3i$|@;%+HvE;>vt3-Vo|%{z1Xbzt-DM@FF*a!
z7o4O<NA1|KXbRny)#7xET%&m4dVLCmHKQ6Z7%&M2163Up1OhMsFbf6)RUHom1OoyA
z{xAy$31Egu0c8UO0|Em`05C-YAbK&Kj|Zzf`b^G+_+heB_W`h8Cb)ASZB2IVci5nw
n6apatr@*<iIxIS2IGJE3;{2Ox^wKye!q2wq5l&oU<f(87geJ<0
new file mode 100755
--- /dev/null
+++ b/security/manager/ssl/tests/unit/test_cert_signatures/generate.py
@@ -0,0 +1,104 @@
+#!/usr/bin/python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+import tempfile, os, sys
+import random
+libpath = os.path.abspath('../psm_common_py')
+
+sys.path.append(libpath)
+
+import CertUtils
+
+srcdir = os.getcwd()
+db = tempfile.mkdtemp()
+
+CA_basic_constraints = "basicConstraints=critical,CA:TRUE\n"
+CA_limited_basic_constraints = "basicConstraints=critical,CA:TRUE, pathlen:0\n"
+EE_basic_constraints = "basicConstraints=CA:FALSE\n"
+
+CA_min_ku = "keyUsage=critical, keyCertSign\n"
+CA_bad_ku = ("keyUsage=digitalSignature, nonRepudiation, keyEncipherment," +
+                     " dataEncipherment, keyAgreement, cRLSign\n")
+EE_full_ku = ("keyUsage=digitalSignature, nonRepudiation, keyEncipherment," +
+                      " dataEncipherment, keyAgreement, keyCertSign, cRLSign\n")
+
+Server_eku= "extendedKeyUsage=critical,serverAuth,clientAuth\n"
+
+pk_name = {'rsa': 'rsa', 'dsa': 'dsa', 'p384': 'secp384r1'}
+
+
+def tamper_cert(cert_name):
+    f = open(cert_name, 'r+b')
+    f.seek(-3, 2) # third byte from the end to ensure we only touch the
+    # signature value. The location for the perturbation ensures that we are
+    # modifying just the tbsCertificate without the need of parsing the
+    # certificate. Also this guarantees that if a failure occurs it is because
+    # of an invalid signature and not another field that might have become
+    # invalid.
+    b = bytearray(f.read(1))
+    for i in range(len(b)):
+        b[i] ^= 0x77
+    f.seek(-1, 1)
+    f.write(b)
+    f.close()
+    return 1
+
+def generate_certs():
+
+    CertUtils.init_dsa(db)
+    ee_ext_text = EE_basic_constraints + EE_full_ku
+    for name, key_type in pk_name.iteritems():
+        ca_name = "ca-" + name
+        [ca_key, ca_cert] = CertUtils.generate_cert_generic(db,
+                                                            srcdir,
+                                                            random.randint(100,4000000),
+                                                            key_type,
+                                                            ca_name,
+                                                            CA_basic_constraints + CA_min_ku)
+
+        [valid_int_key, valid_int_cert, ee_key, ee_cert] =  (
+            CertUtils.generate_int_and_ee(db,
+                                          srcdir,
+                                          ca_key,
+                                          ca_cert,
+                                          name + "-valid",
+                                          CA_basic_constraints,
+                                          ee_ext_text,
+                                          key_type) )
+
+        [int_key, int_cert] = CertUtils.generate_cert_generic(db,
+                                                            srcdir,
+                                                            random.randint(100,4000000),
+                                                            key_type,
+                                                            "int-" + name + "-tampered",
+                                                            ee_ext_text,
+                                                            ca_key,
+                                                            ca_cert)
+
+
+        [ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
+                                                            srcdir,
+                                                            random.randint(100,4000000),
+                                                            key_type,
+                                                            name + "-tampered-int-valid-ee",
+                                                            ee_ext_text,
+                                                            int_key,
+                                                            int_cert)
+        #only tamper after ee has been generated
+        tamper_cert(int_cert);
+
+        [ee_key, ee_cert] = CertUtils.generate_cert_generic(db,
+                                                            srcdir,
+                                                            random.randint(100,4000000),
+                                                            key_type,
+                                                            name + "-valid-int-tampered-ee",
+                                                            ee_ext_text,
+                                                            valid_int_key,
+                                                            valid_int_cert)
+        tamper_cert(ee_cert);
+
+
+generate_certs()
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..38736d8b85a867cb06e79d476ef0177657c47841
GIT binary patch
literal 1068
zc$@(&1k?L4f&?fqf&<Q=0|Eg80s}5m$S?~A31Egu0c8UO0|GD+F%K{e1_M<D0}KXZ
zVJ&2HVK5#S4KXt@FfuYRI503VHd+@AGBYtSGB7bXFfcJTS}+?i888<H162eA3=nB<
zbS-3aVJ&oFZE$6BWn?gd14l4|0y+i<DuzhTI0OMOf&wi9f&l>ls*JiwGr#u_GeRQ&
zVRssxEVm$=pHhCSMolxZ4Ly(nj|_aBLU=o%lxjBS$;?XAAfg@pk|^2X02n#_H&`z*
z3QCVx(3~M?OW3<Mv_G|KF$II(^~sn<k2Qe&dGkE#udVpQc!75wib%E2CC$_-(X|ju
zlLl0uNrxwc%n{k$*fXM-=?O|?ftx>Fxj!x@XA}c{#u*M|!ADE!SGy1&n%QUO53n6H
z-^H3RYJ=M;{5h|Uena5HZER*rhWWB^#ff(Ww!<%^J<(mL<C|g|o{!|8=Cx759ywda
zyr3nmsfY%~D2Fw2R}Sq~qHUDrjBs*n^~;)GNpPtFNhEqR0wDm!d}K^^rwSa>s6RyT
zMKUM6<9mQ2ty!J67%-426-EOBf&l>lgx<poK?upnS6vo!%XJ5XmK4uKnXC`@e|7Ek
z1tS>nRjEHaNjBXf>hbQ`);1!l!IHcqQmmu(qV7Z@vzNZLaKwCnN;{E85!r0%Km<S`
z<UDWScA`T3I);42az5AD;LKek-diI2YsXRiA`9nmft#fzQ4}eRty5QEw!5G6r=OAC
zhu!uU$Nd>kniiT4AT`7HJNsg=FN4GM*+<YwTFuolmtH$lwnW7%vJ+bZK=`5V!96iP
z=u^dpHZJVlQLU4I4XgI+;^piT?q1PDhI6YoKBF(@kziV~@IkVUtV0($g3f@mbuTT>
zc|SV2UyDybBJ&d<pqM(j^IyGZ1A+ks00M#m0BjNk)@)UBL;Vu#7hhCgXc2M$61%SI
z9VI@U2cM~yL=m}&sfWx&v~~nBsJ^`N<-6*{`x&NX;)77b5AlE5hxnLh@w^{NC1IJ)
z$GJqx4l9hFOJmiU-hO$<S*4rD6hAnAM3x8DSc2-4z^{Uef7u-F|AZm{tji17+Ok``
z)@M|Ek&S>Sqn$3_sLXLT-3OwG`4jw{bttQ3PttOU`6#1S+7xNroui1|U<$D}5n{lA
z<xq9lqK=vM!vMffK4UvPkX+s@X@xCh|Nm0nR$hvG7=);}`FOc4?Ux|fnK}W3Vm?j0
zFLRKPu^;GYgAH%bd6w72PLk^aohj6Ov!fa?7%&M2163Up1OhMsFbf6)RUHom1OoyA
z{xAy$31Egu0c8UO0|Em_05C)XAZDpa-c3Z9ar*=x%0ECw1iXUIf^u`QJ1pDCW)t|<
mJOUs|++Q7^L@qN6cCcKa6g;d=ktGp^)d=bP^Y;GiDcR=xj?!EJ
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..88cfbca86e3ef5e666a37e16959737a8d393331f
GIT binary patch
literal 1060
zc$@(w1l#*Cf&?Hif&;~%0|Eg80s~AfWH1W`31Egu0c8UO0|GD+F%K{e1_M<D0}KXZ
zVJ&2HVK5#S4KXt@FfuYRI503VHd+@AGBYtSGB7bXFfcJTS}+(f7BCbB162eA3=L^+
zbS-3aVJ&uHY-waLf&)k}f&w}Q2P%e0&Nu`CFoFUt0)hbn0IH0-NHf3p4>Lj{|6z9;
zoh-K?o1apCt42*Tu?;<t0gnuPokDm!pp<Gh=E=-T(;%W9{gNoz;Q$yp{Wn-IF$zkL
zSJ0dxXiM0;HncyrYB2?a-u20tMvpas{CV>{>aVT%!+3#r9*Rh{&Lz#%D$%tNOOpmv
zpGk)&gUk`x-PkjtnCS^hWPzJMUAaFlCTA1_ea0CMWWh&E=~ufDADY=`<`1wPG~dOV
zFlvL_Df~IFjebMm!)<J4N{0EeaK(vt1h&I3q&?AHsN<Vr8=jBkpXRku!5%qV#=M{<
zt*M9x#wdq1a#s%RR-$c`<&1E0Z1u~UUP*AN0ZAl!GXfz1#e8H;cBcv)(x^W~@I^8w
zyyJU-BCT1SwiqywDHTQo0)hbn0EFJd3qc6U$X8t!bIWxHgO(J}M47A)_kVTm^#vms
z@KvclJ4rU(A?oq&+1559s=<=HBT}rR^`h=XBD0siwQ$6Ie@Z)%MiJR;=|BWPA>=%7
z;C7-y{5pnw#Bx5@+2G7wBi>sg`fJBg{2~kIaDkhpB~cV9jIC2wV79xT^QWJY-G|-w
z7sve>Pns5*4j?td_dEMyurGtd^w~$yNLtO+F_&IDQ?^9KE3y+?0zmko?!i4VKIl`$
zhBhwj-BGQRe+{el>*D3?67F8nLxyv!H$I~;=8<4pvhYE&j;uo$IfBlBvvn^m&UrsN
zxnGM<KqB)KAfT8!x$|GWX9I!(1^@zr0RaG|Qi6CDNI>(AXci#*SUw@BYFzB?hi~_j
z7BFyZWwqe=xkJ52Cg5Xow)BkW*NXxuHXZ9W-chbYtJ{X@4hd>)lSt<P$5~4*`-u@m
zRPJMo98WT*wdiYBA<y)ih)mrrTbDxt6T9d{CA5h&?)jVDPFIcKLSk3%E<aaXy>8yD
zd#--b)6`m7D8+kYK=3T+|LaG$&W7$v83-}aZ2P&18sH+JzEe7h8a3_)fR3KmCj6~k
z-r%byi{Z&?5G74F8Od$86dyM-5co(;l%^KLdVJ#>Iv~56nRvoWjjPsjCJcoqY;*3r
zeApnr@h92c+dDnlTz0lX?09IY;aqg16EG1l4+aBO9TNco{{#gv0|5d5Fbf6=V1`Hm
zWdj5Q0s}|@Fhv3&Qi(3N_l9hJ<1aGcGrsq!3l1GdxV69wcUDlu&w6`E0wDmBO?w<p
e8erAj?BR0XeBF&TY**$l(o)_R-%Q*J27t`fj?KaV
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0c9cdc1fc2dd1a3196a38463949b3195cbb3e141
GIT binary patch
literal 378
zc$_n6Vk|Rg{Ih_WiIItkSthmKfQyYotIgw_EekV~fsmnq0UsN4C<`+Wdvc;~fw6^&
zft)z6p|PQXk&&T=fq|iElsK;uh-(1l8ps$*8Aw3%2xjJ$fHmosB<2>R7Nw>blo<%H
zv4hQLVq|00Ze(FlVoqXUQQwxlqDl43dB@M!85i&NeIosy+wJ_ZV+nV?u3WCP^1U>}
z<Pcxi+vkjpJDaBWeR_Gv+vDO1`zl`z`6ICz@5P)NBvh0?uHUrg%4Mz8qzPA6YW>$t
z*wu7O!KS6<jN+zATl*FR-DJQCbd{_y3zGqZ0XK-r&jR!#<3D5{GiNdwq%j#XEPHW=
z>9}Uk2V=d)-K8q7hHD=rMle}#f85q~xNnR6yjfDN;obX7w(XP1jNkV6q)91IOXs@J
zhaERXFU^{GGGV=YzW8CbDjrw%0yze!jgR*`eU<)~zdC>Z${YOark$HmcK;6x07k@x
A^8f$<
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..ffe5bded4e6dd78dd49e29eaf36ae13b8c0135c3
GIT binary patch
literal 368
zc$_n6V$3mU{JemfiIItkh4EiXnE@9YhgO@%Ia?NHCIcZu0RuiZ=1>-99`@u!-2!6^
z69YMMUPEI;10y3t3j+f~(<pIXBM{dB$~BNQ6gLos=;6!ED*<cLElbSFOfe`k5MW~m
z8_vYY#;V=O!l1;Q#K2PHvG2Xt$qoIXw+oeD7}+1H=bCOW=pge<<fi;__q>Kw2}ONb
z{*-In{@Q{n2i6K)U$v@umC!QYNdYq-o94g16ml$<Z_^*)+=e3Cecrw2vUdNva!Pa6
z`Hp+y_TPKn&2n6|SlB?&fFI~2Sz$)T|17Kq%s>j+pUfEy2B}O2nS$vGSMH{-`K89-
z7c%MTt3=t^$0BcspWoHOdi}d(!=uk~hB4DtecrHWwb<wD3;T9688U1VwPw8aocpkE
u-^XjOGTeSnmp1$#<+@f!`S=REmABTpm9>cfpL*Q-e9`+&1`od$zXJf^W`$?~
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..c9fd5f3c5f8d7f5e52c7f2040b1dd16cd3ebf116
GIT binary patch
literal 711
zc$_n6VmfTl#JG9^GZP~d6SH!rg8?rar&gOs+jm|@Ms8LH13^Q6pb&E?3o{Q}a-wcg
zaiW2oIIp3xp@ET+p@o5gp;?qTuMvoA0OcA;8%i38L$nBF=9Pf-=$0hr7Ni!XrT{Hd
zLbigDm4Ug5k)Hu5&c)Qk$jI<!-+vuTMMil!s|T-Y8%yF>N9&y2zRE9Hr!-LO(>tC`
ze782vKc;(C?RV7CwbK+V_1>Oo{^pkIbiz#Ivi2(DM-xNO>x4#qJn}um$#3IwJ$Kh9
z%12*ET$sQ5f$OHS_97dNSKZOPe;ib`1iO2B{Ud^xRKDJjp&B?tVaIlL8@q3cZ_Y2h
zHZ{&c`2Lo{Cu*zS%n;dJrPlUzS;tLAqo->)RGNP8@tSHK*7D`Q@hO>mXD)lNR+KD#
zm>nVcST>V)&AMo@$EThzI+`4CynDj$SpSE@yz8^4E?RTgvRX{v<n=^@l9v1W)@G}|
zbmY|W6w6spThhy?cfGN0^StLp`a4=K9#H#H%EZjbz_?h-K*E3%7=*IIEKCLr2HYSf
zKMM;mmj0nd5Hl#ybiOTY-}1EEc2{25{+L~|vwbeQ{Cc}aVB4w7JC|mx;m&!-!P)+Q
zg4pgA0W;f-Wk1<C*I8R%+b`#;UDBGzzBaal;rMa0)n5%)R_>Ynmoa5Ur_l1<2d7+e
zoE_>R<dP~odv?bj;j@Xt<*YkwSDfj%a`xL=ukWq$$ETcB+4tH%dn#whw`=|fuT8w}
zxpMKp4fiAei89;!bM7r^XLufPebbfG-<q!<T2lUm`Q6Ftoo&Vw0`GMH6!p@a5q<r?
zlcYI|k-`z~P3|*gTLUfi8Pj&?#rH>Cd9uB^dhUaTuidNuv@Pu1&~d}OWcO|vVYX+<
c>`PDBxc`Y+ky9U8_v~oKqs5vV84C9S0E#3i82|tP
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..9b915761846726996f4bac260837c0873879aa04
GIT binary patch
literal 701
zc$_n6V%llY#JF$)GZP~d6SG+92LoO<POUbNw(q=*jNGgY27-qCKq2N(7G@r{<V4+~
z;zR>Eab81XLjxltLkj}~L$fGxULz3K0LnFxFcdQofoS2)%qs!u(Jf2N$xH#-q=alf
zBP#=Q6C*zZP@IdYiII_E&sxsQ=NlzdChcT-+T<d-;)z6Y{^aBFrG*_ob|0SLAFUxB
zCUG|}r*rNF_Y=K#CZ7J$Lg`itb20_>x9Po;sQz?|Y01qF#@!;lX*_a!kL6vcU9d*x
zskVV4``J31{^%t^3~5|jV=_6GX=i0f@AUgwuuG@pz#bO4SJrt4#O)akyC1yW@h0oc
z#T&DBTz7RhTC5baj4fc>w-rBUGOgar>~-jnX`{)i4Szo<Jw0Mw_eopjCi~O2jk3!&
z<~hELTC|`!ic9eR^W`#vojfH)yE^AemcRM>aQ>gZ?ao~%l6Reb%AaeUp>npI$7hD#
zyo%Osy*2k(V;{M2zENLNA^DH>;KdhnLz$Qv85kD}8weWk1H(^Nn33^63#$P$kV1<V
zW>9GPw(VOm!}_<ym8n6(T<ig@SIdmHe$DviwC8g0k*4Ph?;lOO_t<@bRp!frgiT`h
ziRmJ1Lxua=IR%w|s<O;c3BR!O(E8b51z3;W$l2S*;CRP!Y4ra)zn*US&wBXAcW<fJ
zTbHmeU838Vv-kpERBq4$W5FGBR|S9C`o|&mz^lJ9VGaL(u*}=u{-9wB_k5!Zy%T2L
z=b7-ozj=nI;4Kj=AHT9Y%Vf46HvTfbG)n97U4i;f@7Ozcay)&+R*?1TpWYwoe-HmF
zn_hepx7^92CUSjKUhO%3KLh_CliY*;ihXw3Jyq!=_l)(resiy_T)&Gi>cl1qW!*(A
TXS>(&Bv$-n{I&GUEip*|gkvPi
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..90a60f0cbe37af2743986587f63010eee9db9f4c
GIT binary patch
literal 397
zc$_n6V(c_%V&q@I%*4pV#LUaF+JK9VL#xf>oGlA8lYxw(lz{{rb0`Zlk6>nAiEe?h
zg^6xSVs1fdQEG~ToH(zcv7v#Hk)efwfuU)XIIj_iYXIdMs2VC8C_;2gq3F~FnN^mU
zlbNEMnrcvHAi%~BwvvgFja9pmg+YlqiGk&&u*zr7Uq!d4o;z7r{CZm}2iNo4vaO{y
zbI<OWwU?=MKWp|%>svf#5*PcsQo5>UN$ITJy!FHir^<Jnl52i?30oZb{UEVtk@c0|
z(Js|7&8m%&hRv^S_~!o<`DOC`je&&0VxZRyIDyWS6=q>FU@+hYG5J}5-e&xV90<%A
z3<jx828<8PB6HSjA1n`a?O(jtUYoP$_m_DyUpmizaqqL~?yMlu>W==H^>)k=i^QM&
z{JQTilOaRT{Ez9vr&#$nM27qDtpC%YFfa4MuXlDATQ~D1S8sYgD`1n@TekzIa$!<!
KlZt1&oe2OFxr-P8
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..c1ddd9d45fdf70a29a74ac04b9f01ddda9490123
GIT binary patch
literal 393
zc$_n6Vr(^NV&qxC%*4pV#LV{epaB;fhgO@%Ia?NHCId-BaRX5{=1>-99=^=H65Rr0
z3lrV4#GK3&137VCLt{e&BO^l#0|P_TC~;mR5Z3_8HBdEFHc*6Ul|pFK1({Nkm|Kuq
zl$xTOnrcvHAi%~BwvUOCja9pmg+YlqiGjt?Twa(x{`HrM+y8M`B`P`DEjI|bdBrpK
zRpGJ@m-#o-zGXcW%8iozS@QqLbJ3Qt^DPrwekDvl=<(u;OpFlUl4Yt3Q+Y3E9zE$B
zHt~P7sWnrn)O@~Y(gpv`Cv+P2zS^;Dv6O*?0VmLTvcfD(1`Gz=ASOQx(9ewjkVAku
zoxvc5$)Iop&*#0zG;VUoyl?)loF?=Com2R6Yq<-%?r1rb2uL=(IA!bHFFRwM|2A_K
zi`1u!m<)nWopqbJ*Q@^VA%(TGgW0UEis>oc>FJj>nflbH-D=~^MGM7`ZkSpzQTYw;
J9A}?4Rsd~eh2H=G
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..18fd4076e0ad35ffe987807740971a4bab9dd18f
GIT binary patch
literal 378
zc$_n6Vk|Rg{JVgeiIItkh4IvxO$J<S99nH2=WJP+nG7Ti#SKK+m_u2ZdH6E(N^}d1
zElhOF5_2+B4CKUl4UG*AjEoE|3=9lSqr`cQKwJYT*Fe-z*gz1Xl?zE*nSlTsJJ@_C
zMmARMMivGo<|GD|1qXlpK3Wm{-f+&0@ZAEusyDAEM_Gw+m+(A#p0aCx*z<z*`&C$Y
zHFPG=$>O@PH_}OW)%t?T5?fyXyXC&$P*Hu(+6e-GmOHJ@(D0Cpt~KX#S-7&*OQ&xA
zwAJpDQnFTXd|oVNAYs4>bdIbr3zGqZ0XK-r&jR!#<3D5{GiNXuq%s*4GZjku1pU0F
zDYj8g=-|s~aZg;Gx)($-KD#*iv;5AFb0_*6thuQC`R+-kLvD7m8>TQBGVInjUaqlD
xjidZPt7M@WU&6-UhlH&X#QxsX|LJ}HzU%%&${KUlJlOC<yYJ<~hg)L~0s!YEf-(RA
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..e06b2e9a6f3b967ca51d6e7e107bebd172a4bb66
GIT binary patch
literal 730
zc$_n6V!CF~#JFz(GZP~d6SIkAlmRarr&gOs+jm|@Ms8LH18GA^193LyP!?t$fy}%T
z-J;?|-IB!Ig4Cka6azVNUPEI;10y3t3j+f~vnX+1BM{dB$~90iR5DP2XqH6Qs0%Ww
zEHNiDMK?7SXulG&t&FS;%uS5^3_x)%rY1&4hD+N54g?-bFOIm^)v6P0nB4cEX`T%K
z3GbirMzJ@#N-}Tjg>s61=3BV_V$<R!^Ot}AA8<%Iy0akh{jc7Vn$<gZs(hZa_3r;i
z7h+!6Y&noK^R#!G+`q;LJ})}<DMhH?nt4n|di9y5+Roz4i>wbeG8z9AS!Q>uecOYm
zhowrDY5^|QY8M3``rj3}u-8EB|F3IDgA-Zjo@!6opy85~ykJK3`D`(Fv)IVHNg7=%
zuDu9L6fe@7$R-{6-Q(Cp<8l{^?Z(3HY=Y^BcFeyi@Gz!HQa(40SM#0Z1lbo0Q+Ea)
zT&yj2>XT;W-ie2cT<cWk)P{2LavkS*Tbyu{>+(Dmtx&P)OgEXB85tNCOBqNQa00_p
zR+xp!fWd$p#N=mT0Y=<Ev^Zl11=^fbt3syF3_5jI<IHoX>XRkqXIhpV3=3H!Q@6ga
zzOs*5`tBt^`{OMJW_*?3c`l#nu9IN)YDu}Y%Z9CH_3@c2Rcv=j_OB@Y&$@SY!WP|D
zx8UY2Od)n2i^9tKHZR?CwQt{%#ma%#ByBY|F#jrFE~C8vukJmQ1Khs~E*yH_+P9|S
z<&LkPj?ONYJYUAX&|uf0yGn<2G<V%mo9(wfvMlgkt19#7Hxg~BOko;*(NilbPRu>J
zEqJxJ(f<HHb@oRq4hv`WH0@m^?<ny$$z{r;^NIIYOgFx9Ked{zQ#f&pW?R#%3~jOH
km3{^V-fHr0U#$6k>UZD0`nm2gyTp3=tHQhIFT7_A08@`9<p2Nx
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..aa17cacc5a2c56c454ac92144ff54200dd253ef0
GIT binary patch
literal 727
zc$_n6V!CY5#JGC_GZP~d6SK~7O#@ywPOUbNw(q=*jNGgY1`>v11|n?Cp)AZiyqS3=
zx<$o_x@CzunJETx;=G2&h6YAPh86|}hGtRXyhb3d0hDW?VyI-G0MRK4*QE<Gqa-o6
zAhjqpMK?7SXt@%ym5i(m%uS5^3_x)%rY1&4h9fHSYwQ==WW9`C)zn_Rb184SICIh$
z@f%OuGVircdAuZU_QO9GH`S&m9dFX%W}4gi_G`}kCEvO<SUC?@M%8Udz1M&2^ta<(
zw}pOfYhAWy>derJQ|k7evknV=5mJo1y(D5g+j6GU`$ebfe92Rt;t<(a>{q$g?5Rs&
zf#}`zs-;U0a#fXE@Adx}=Bcziv~;HbvyH)1{s#Ul(((Uh#j+`3M}Jp;+_}t(X+gIe
zvNwb%M2auG8`QXA|3_w@XIui#`8Bt@--eu$eD?UmvdD0ecf~X3Y(Et(aMWr0G9K?u
zjcJ=5-j*!UEDPlQu;}Welv&AD^7<Edm#3NM-+TBa$g1*Mk4Y*MGb01zVkrX&15RLA
z$_leE888@dgP8m*EWlX%hZbSXpg>a+U%5Nh;l;x{|0jt&yTl>Hw&}}L^Xi#?AN?YW
z*B_k8#LRtO+WBi>r;bg-qO)tvF1+vx;}$kcTvzZ(^D6(6&o-Pw$Fz%P+f_UYS(3@M
z;KH356W>ne6mRT}TQNCNbLG7$tC^Euc^#VE*|?MCTk6Rrjh%|kugzBnER20FBDgqo
zui)GHWqR4aC$aZmx6-hA{p4MvYoXiC^}f%RRR&Ddbbj;W-tEYO4ok0tD{otha(uLm
znwy%VF`?>q-4DIge|nqimpb^b)$L_@F;S-I_>UtMK|Ib&0uMf3yVK^&LkB7Cp3O!N
ln6p;ax|F0AzFxj(=EOTXTA#OmG-}pb5uaJu_FR`;5CAdwEffF%
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..14ea086d456e4a9d443a07e103d0277410ce5b12
GIT binary patch
literal 712
zc$_n6Vme~b#JFYwGZP~d6AQyKZbJiJHcqWJkGAi;jEvl@3<eU0Vg@2?%%LpIJiM8C
zCAvk$iMnNpIhiR2a^k#(#)bw)Murv!28L!);=D#6t^t&5AYv$FAOO+HiO|)=sDx|<
zBP#=Q6C*zZP@IdYiII`vJohHwQwwGb&WS2|G|%AR-5Zsi6(&>87<jwa1YckGbW<;@
z`*wD9fsCwz|8{GCn@6rwPg#9jBxuh0SLv%fB!oXDaRi&11?C>|-Vs%M-tUybzo|uS
zNv|hyPnKm7UAVJZ<yTh0y%Q;~&6D5tm|yz3v!j#$c8Tiglk2a%lDlosa<#@vxzr+)
zW!|!9@mtp=Jr)#y`X*ee@cE<@ELU4q0$2TV;t0+>)%(Bl(!06-owI*!`@83}TAb~p
zdry7hmMra`e@w15aAxL@9v7uDzYtz?(XD4r{av2LAA8W2tu!J~xBu0m4Z(7M&YjYn
z6r)hd`T820seRcrx5&xuQ)eAaU97!xi8vE8BLm}NDFX=uPGH!{3bQa7Fc@%ynEWg(
zz-ao17D3FQK-1RL`PuaH$g^Z0iz`pGOq5M>8PmVKc7ORG{rjq(%d5ky&PL?LKRVzW
zowDWeuFIUeyfojhJQid4GkK|%@3Hi+-?;q?C06-7FAUiK=g6B|2?4^{Zkwjec)xIl
z(ars-Iv1vh8+!77Xq)Tteb4*dFV3o_oV)(I!ccfRb6uWy@45`rNo5lo_DtHvCJ+_6
zS@LrEUb&xL?sHBROuaqf;JUc`*Ss3-+*^+`y%h11I@BRqy}wR<hj{lJg@>^Pjeq-F
z@}3EQU-UQ6>FI?`^CMPP?`<?r7!<wadH8T+Yk^tdjTY~9+db|?Jnr9q*5uE0zV1CI
ZqaUjOFwO{>x+HFQ^yR0OtS_3*0{{zzEpz|?
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@@ -1,15 +1,16 @@
 [DEFAULT]
 head = head_psm.js
 tail =
 support-files =
   test_certificate_usages/**
   test_signed_apps/**
   tlsserver/**
+  test_cert_signatures/**
 
 [test_certificate_usages.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_signed_apps.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_signed_apps-marketplace.js]
@@ -25,8 +26,11 @@ skip-if = os == "android"
 # Bug 676972: test hangs consistently on Android
 skip-if = os == "android"
 [test_sts_preloadlist_perwindowpb.js]
 [test_sts_preloadlist_selfdestruct.js]
 [test_ocsp_stapling.js]
 # Bug 676972: test fails consistently on Android
 fail-if = os == "android"
 [test_sts_ipv4_ipv6.js]
+[test_cert_signatures.js]
+# Bug 676972: test fails consistently on Android
+fail-if = os == "android"